1. Governance
1.1 Recruiting, evaluating and training boards of directors Background
Boards govern significant public sector
organizations
Boards of directors govern over 100 organizations in the Alberta public sector. Many of these public sector organizations deliver significant services to, or protect, Albertans. The organizations are involved in diverse activities including banking, health care, education, regulatory management, and social services. These organizations have been
Audits and recommendations Cross-Ministry
their boards govern them. Good governance can only occur if capable and well motivated individuals are appointed as chairs and directors to these boards. Good governance also depends on chairs and directors receiving feedback on their performance against clear expectations and furthering their governance skills. We believe that effective recruitment, evaluation and training, conducted efficiently, are fundamental to successful board governance.
Criteria: the standards we used for our audits
To develop the criteria that we used to assess the processes, we drew on guidance in current literature. In the last few years, a great deal has been written on good governance. This includes guidance on the characteristics of individuals who would be excellent director candidates and on how to recruit them. Further guidance exists on evaluation and on training directors. Also, we used the current guidance that applies directly to the Alberta public sector. The two key documents are the Public Service Commissioner’s Directive on Recruitment for Agencies, Boards and Commissions dated October 1, 1997 (the Directive) and a report entitled Review of Agencies, Boards and Commissions and Delegated
Administrative Organizations dated April 30, 2001 (Renner Report). The following underlying principles summarize our criteria:
1. Recruiting systems identify candidates for directorship appointments who meet key characteristics such as integrity, competency in
governance, relevant skills, and ability to fulfill their governance obligation. In particular, the systems result in boards that have the balance of skills and abilities to govern and chairs that are effective leaders.
2. Evaluating systems are based on clear expectations and provide meaningful feedback to help directors and boards to improve performance.
3. Training systems focus on enhancing directors’ ability to govern by providing directors with knowledge of emerging governance
practices and understanding of the organization, its environment, and legislation.
Also, we believe transparency is a fundamental principle. That is, boards need to account to stakeholders, through such means as an annual report, on how well they met relevant governance principles.
We focused the audit on boards appointed by the Lieutenant Governor in Council.
Audits and recommendations Cross-Ministry
Recommendation No. 1
We recommend that the Deputy Minister of Executive Council update Alberta public sector governance principles and guidance so that they are consistent with current good practices for recruiting, evaluating and training directors.
Recommendation No. 2
We recommend that the guidance include a statement that governing boards evaluate and report publicly their own performance against both Alberta public sector principles and their own board
governance policies.
Our audit findings
Practise varied according to the initiative taken
Substantially all directors expressed a desire to excel at meeting their obligations to govern well. In doing so, they want to improve their performance and that of their organization. Some organizations met or exceeded our criteria, while others did not. We saw examples of departments providing excellent support to boards in improving governance. Also, we found boards who took the initiative to improve their governance practices. The key finding is that in a good number of cases, but not all, initiative is being taken to improve governance.
Guidance needed on what good governance means
In our opinion the Alberta public sector must establish a common and current understanding of what good governance means. In the areas we examined, some provincial guidance has been published. The Renner Report recommends that ministers and boards enter into agreements on roles and responsibilities. The Report provides guidance on the content of a memorandum of understanding (MOU) and includes some aspects of good governance. The Directive provides guidance that assists in
identifying good quality candidates for directorship and was best practice when it was implemented in 1993 and updated in 1997.
Guidance for director
recruitment needs to be updated and followed
In our sample, however, approximately half of the organizations did not have a MOU. We also saw that the Directive for recruitment should be enhanced and commitment to its guidance should be reinforced, since it was not consistently being followed.
Approximately half of the organizations had deficiencies in their processes for evaluating boards and directors. Orientation training for directors was provided; however, the establishment of continuous training programs was inconsistent.
Audits and recommendations Cross-Ministry
in response to governance failures in the private sector which is why the guidance is expressed in private sector terms. Nevertheless, this new guidance provides important and relevant insight to opportunities to improve governance in the Alberta public sector.
Limited reporting
on governance Our audit found limited external reporting on boards’ governance
practices, although transparency is a cornerstone of Alberta public sector accountability. The importance of transparency has long been captured in one of the Government of Alberta’s goals. The private sector’s
requirement for transparency of process and of compliance with sound governance practices should be an established expectation for Alberta public sector boards.
Additional recommendations
We issued a report to the government and boards on the results of our examination of the processes to recruit, evaluate and train board members.
The full report is on our website at www.oag.ab.ca.
Challenges need to
be addressed In the report, we make additional recommendations that support the two key recommendations. If these additional recommendations are
implemented, they will assist in addressing the two key recommendations.
The specific recommendations address the following challenges:
• The need to ensure that the Directive for recruiting directors is consistent with current best practice.
• The importance of boards being transparent about their governance, in particular recruitment processes.
• The provision of guidance to assist boards in establishing
performance expectations and evaluation mechanisms, including:
• The need for clear expectations for each director
• The importance of periodic performance evaluations for both individual directors and the board as a whole, and who should receive the results of the evaluation
• The need for efficient, relevant and effective training programs for directors.
Implications and risks if recommendations not implemented
Recruiting, evaluating and training processes can improve governance
Organizations are always at risk of not meeting their goals and of
behaving unethically. Governance is how these risks can be managed. But good governance, producing effective and ethical organizations, does not just occur. Boards made up of directors who are capable and willing to
Audits and recommendations Cross-Ministry
doing, and if they do not get training to improve their governance skills, then the effectiveness of their organizations is jeopardized. Organizations earn confidence in the state of their governance by publicly showing that their board recruiting, evaluating and training processes match current good practice.
The recruiting, evaluating and training processes will only be relevant if they help governing boards to improve their organization’s effectiveness.
However, since a director’s time is limited, its use must be productive.
Each organization must therefore focus on improvements that maintain their directors’ efficiency.
1.2 Internal audit departments Background
Internal audit provides needed assurance
We found that stakeholders in both the public and private sector increasingly value the oversight role performed by audit committees.
Professional literature on governance often refers to this role as a
fundamental part of sound governance. For example, an audit committee’s role often includes the oversight of risk management and internal control systems, two critical elements for good governance. To fulfill their oversight responsibilities audit committees need assurance that all significant risks have been identified and effectively mitigated. Audit committees look to their organization’s internal audit department as an important source of the needed assurance. Audit committees need to set clear expectations for their internal audit departments including that the departments conform to International Standards for the Professional Practice of Internal Audit (IIA Standards).
Internal audit is important to the public sector
The Alberta public service recognizes the importance of internal audit. A number of organizations, such as the Universities of Alberta and Calgary, the Workers’ Compensation Board and ATB Financial have had internal audit departments for many years. In May 2003, the Alberta government established the Office of the Chief Internal Auditor (OCIA). The OCIA
provides internal audit services to all government ministries. Other Alberta public sector organizations have recently established or are now establishing internal audit departments.
As a result of the changes within internal audit, we decided to examine the performance of internal audit departments in Alberta public sector organizations. In particular, we assessed the operation of the 11
departments selected (9 were examined in detail) against leading internal
Audits and recommendations Cross-Ministry
Recommendation No. 3
We recommend that the Deputy Minister of Executive Council provide audit committees with guidance for overseeing internal audit departments, including identifying related training.
Our key conclusions
Internal audit
needs to improve In general, internal audit departments need to improve, in some cases significantly. This is not surprising for new internal audit departments. To assist each organization audited we provided them with a copy of our overall report and a report tailored to their situation. The overall report is available on our website at www.oag.ab.ca. In the report specific to the organization, we included recommendations on areas the internal audit department needed to improve.
Audit committees need to champion internal audit
A common theme evolved from our work—audit committees need to support their internal audit department by:
• setting clear performance expectations focused on results
• ensuring terms of reference for the audit committee and for internal audit are aligned and consistent with IIA Standards
• demanding that internal audit practices in their organization comply with IIA Standards and follow best practices
• requiring auditors to focus on key risks of the organization
• ensuring that the department has the necessary resources to meet its terms of reference
The need to champion internal audit will require audit committees to recognize that internal audit is an important resource to them, to actively work with leaders of internal audit and to gain a deeper understanding of internal audit standards.
Public sector internal audit departments can improve their effectiveness and efficiency by implementing best practices and improving
relationships with management. They should also adopt policies and procedures that clearly define their audit methodology and performance expectations and include a code of conduct.
As a significant stakeholder, the government has a role in assisting audit committees in their oversight of internal audit departments in the public sector.
Audits and recommendations Cross-Ministry
department would demonstrate that it was effective, complied with IIA
Standards and met best practices. We drew the criteria from sources such as the pronouncements of the Institute of Internal Auditors (IIA), Auditors General in other jurisdictions, and current literature. We provided the criteria to each organization we audited for their comments. All the organizations generally agreed with our criteria. The criteria, addressed the areas of:
• Audit committees expectations, direction and accountabilities
• Relationship of internal audit departments to their organization
• Internal audit skills, capabilities and audit approach Our audit findings
Quality of audit
work varied The quality of audit work varied among the internal audit departments we examined. Newer departments generally had better terms of reference, but lacked resources and the required skills. Well established departments tended to be further along in developing policies and procedures and in assessing risks across their organization. However, all departments face the challenge of adapting their practices in areas where the IIA has provided new guidance. We noted some good practices and examples of effective auditing. We also observed that internal audit departments are willing to work together to share good practices.
Internal auditors
are facing change As we have stated in other reports on governance, a great deal of change is occurring with governance. The pressure for change is affecting internal audit departments. Our findings are consistent with the observation that internal auditors, in many cases, are at the start of the change. We present further detailed findings using the three areas that our criteria addressed.
Long-term plans and performance measures not required by terms of reference
Audit committee’s expectations, direction and accountabilities—A couple of the internal audit departments we examined do not have terms of reference in place that define the purpose, authority and responsibility of the internal audit department. There is not proper alignment between the terms of references of internal audit departments, the terms of
reference of audit committees and management practices, in many cases.
None of the terms of references require internal audit departments to develop long-term strategic plans and most do not require any reporting against agreed to performance measures. A long-term internal audit plan is essential to demonstrate alignment of proposed audits to the
organization’s risks, highlight strategic internal audit initiatives and develop annual audit plans.
Audits and recommendations Cross-Ministry
of management department. There are also three cases where internal audit departments’
independence is compromised as internal audit leaders either do not report directly to audit committees, or do not meet regularly with their audit committees. Internal audit departments should be organizationally independent of management and report directly to audit committees.
We did observe a good practice in that two of the leaders of internal audit departments had regular monthly meetings with the Chair of their audit committee to discuss developments and progress.
Plans need to focus
on key risks The internal audit plans we examined were often only lists of intended projects making it difficult for audit committees to determine whether the plans are risk-based, or if there are resource or skills gaps. Four of nine internal audit departments we examined have defined their audit universe1 and have completed a risk assessment. But they have not prepared a long-term plan. A long-long-term plan would provide the audit committee and management with information linking the audit universe to the planned audits. Through effective risk assessments and planning, internal audit can show that it is focusing on the key risks that matter to the organization.
Also, plans will demonstrate the connection between the focus of internal audit and the organizations’ business objectives.
Internal audit departments are not regularly reporting to audit committees on progress against their plan. Regular reporting allows audit committees to assess internal audit’s effectiveness, priorities and resource allocation.
Increased value required from internal audit
Relationship of internal audit departments to their organization—
Key executives in more than half the organizations and audit committees in a third of the organizations stated that they expected more value from internal audit. We also heard from three internal audit leaders that their department would benefit from increased support from senior
management or their audit committees. If the internal audit department does not show that it can add value its recommendations may not be implemented. Thus, significant risks may not be mitigated.
Co-developed plans and timely, risk-rated reports needed
A co-developed approach to assessing risk, project planning that involves both the internal audit department and management, and vetting
recommendations with the audit committee and senior management would increase the success of internal audit departments in showing value. We also heard from management and audit committees that they valued timely internal audit reports. Two internal audit departments did
Audits and recommendations Cross-Ministry
not complete significant audits promptly. Few departments disclosed in their reports that they followed IIA standards or rated recommendations as low, medium, or high-risk to make audit reports more meaningful to the readers.
Recommendations were supported and agreed
Our sample of 11 audit files from 3 organizations indicated that the internal audit departments’ recommendations were supported by audit evidence and were generally accepted by management. However, given the deficiencies in the project plans we were unable to determine if all possible issues were identified in the audits.
Few supplementary
codes of conduct Internal audit skills, capabilities and audit approach—Only four internal audit departments have developed a code of conduct that adequately covers the four principles appropriate for internal auditors—
integrity, objectivity, confidentiality and competency. Although many of the organizations audited had a corporate code of conduct and the IIA has a code of ethics, internal audit departments should supplement these codes with a code of conduct that takes into account the uniqueness of the internal audit department and its function within the particular
organization. Internal auditors should sign an annual commitment to these codes.
Internal audit departments want to increase skill capacity
Over half of the audit departments indicate that they needed auditors with specialized skills; for example, skills for auditing information technology systems, risk management processes, and specialized financial
transactions specific to the organization. Three organizations were recruiting an internal audit leader. Two organizations indicated that they wanted to increase their internal audit resources. One department did not have an adequate plan for their training requirements.
Few documented policies,
procedures and methodologies
Fewer than half of the departments examined had adequate documentation of their policies, procedures and audit methodology to provide their internal auditor staff with the necessary level of guidance and support.
One third of the departments we examined are now documenting or updating their policies, procedures and audit methodologies.
Most departments did not have a quality assurance program
Only one internal audit department had carried out a quality assurance program. That department carried out a self-assessment which did not involve an independent review. The IIA Standards require an independent review at least every five years. Quality assurance programs provide internal audit leaders and audit committees with assurance that internal
Audits and recommendations Cross-Ministry
risk assessments, the criteria used for individual audits, and the audit file reviews. A quality assurance program would reinforce the need for internal audit staff to comply with these and other standards and leading practices.
Implications and risks if recommendation not implemented Audit committees increasingly rely on internal audit for assurance on the design and operating effectiveness of organizations’ systems of internal control. If internal audit departments do not follow their profession’s standards or adopt relevant best practice, then this reliance may be unwarranted. Also, audit committees may not be aware of potentially significant risks or risks that have not been mitigated. Thus, audit committees may not fulfill their mandate and the organization may not achieve its objectives.
1.3 Audit committees—satisfactory progress
Proposed guidance developed for audit committees
Previously, we recommended that the Deputy Minister of Executive Council, working through other deputy ministers, take steps to improve
Previously, we recommended that the Deputy Minister of Executive Council, working through other deputy ministers, take steps to improve